Risk Decision Making: Whose call is it?
I still occasionally run into a debate with colleagues over whether security should be making the major information risk decisions for an organization, or whether it’s business management’s responsibility. Rather than just spew my opinion, let me try to build an illustration of how I view the problem.
Picture this…
1. Risk decisions are the things that drive policies, priorities, initiatives, and actions (this falls under the category of “duh”).
2. Well-informed risk decisions are dependent upon knowing the risk associated with the decisions, as well as the best risk management options. Risk tolerance also is an inevitable factor (we’ll discuss the question of whose risk tolerance further on).
3. Understanding risk, of course, requires that we understand the factors that drive impact (stakeholders, laws, contracts, competitive landscape, etc.), the assets associated with impact, threats against those assets, and controls that are in place to manage risk. Absent any of these inputs, our understanding of risk can be seriously deficient and the resulting decisions flawed.
4. So far – no surprises. At this point, however, things begin to get a bit more interesting… Specifically, risk tolerance is derived from three inputs; risk capacity, the decision’s value proposition (the potential upside associated with the risk scenario), and the decision-maker’s subjective risk tolerance (more on this further on).
5. Risk capacity also has three inputs; the organization’s current condition relative to its objectives, as well as the portfolio of competing risk issues. It’s important to recognize, too, that these factors will often vary across the different types of loss (e.g., productivity, competitive advantage, resources, reputation, etc.). For example, an organization that has a significant stockpile of resources will have more capacity for resource loss than will an organization that operates on a shoestring. Likewise, an organization that is trying to build market share will have less capacity for reputation damage than will one that already leads the competition and/or that has a very loyal customer base.
The point is, tolerances will vary not only between organizations but also between types of loss within an organization.
With regard to competing risk issues, it’s important to keep in mind that information-related risk is only one of many risk domains management has to deal with (e.g., market, insurance, investment, etc.). Combine this with complex organizational conditions and objectives, as well as limited resources, and it becomes clear how important (and difficult) it is to strike the right balance in applying risk management resources.
6. Speaking of resources…available resources and capabilities help to drive which risk management options are feasible. These resources, of course, are dependent on the organization’s condition. Note, too, that resources and capabilities can affect risk tolerance, as an organization with fewer resources for mitigating risk may be forced to accept more risk if, for example, a decision’s value proposition is particularly compelling.
7. And finally, the policies, priorities, initiatives, and actions that result from risk decisions will have an effect on risk and the organization’s condition (for good or ill). At the very least, expenditures made to manage information risk are no longer available to use on competing risk issues and opportunities.
Okay, if by now you haven’t fallen asleep or decided to spend your time elsewhere, I’ll tie all this back to the original question of who should be making the decisions regarding information risk…
Carving it up
Using this illustration of the risk decision elements we can draw lines that carve the landscape into three parts –
• Those elements that would appear to belong to business management,
• Those elements that would appear to belong to the subject matter experts (in this case, us), and
• Those elements in the middle that, well, could go either way
Note that the decision itself falls into the “could go either way” domain, which means I can’t give you a definitive, “This is how it should be” answer. What isn’t surprising is that who makes the risk decisions will vary from organization to organization. What’s unfortunate is that in many companies security leadership believes they are (or should be) empowered to make the major decisions while business leadership believes otherwise. Speaking from painful personal experience, this disconnect can cause significant trouble.
Size matters
Of course what I mean is that the size (significance) of the risk decision also determines who can/should/will make the decision. Business management isn’t usually going to be involved in day-to-day operational risk decisions. Furthermore, security management can’t personally be involved in each discreet risk decision that takes place throughout the organization (e.g., Clerk: “Hmmm. Should I shred this document, or just chuck it in the trash?”). These day-to-day and discreet risk decisions are where good policies, procedures, and risk awareness education come in.
At the end of the day, decision significance is a continuum rather than a binary or clearly differentiated scale. Consequently, some decisions fall into a grey area regarding who should make what call. For these issues, the question of who should make the decision will vary from organization to organization. You can, however, work with management to come up with some ground rules, for example; policies, policy exceptions, strategic initiatives, and significant expenditures fall into business management’s court, and security deals with the rest.
Look again
With regard to discreet risk decisions, take a close look at the risk decision diagram. You’ll see that the diagram applies quite well whether we’re talking about major strategic decisions or the discreet risk decisions being made by employees countless times each day. The only difference is that, in the absence of a clear understanding of organizational risk tolerance, employees WILL substitute their own views of organizational risk tolerance (or leave it out of the equation altogether). In any event, employees often will be placed in the unfortunate position of having to reconcile organizational risk tolerance with their own conditions/objectives/competing risk issues, etc. (e.g., the question of choosing compliance with security policy over meeting the deadline their bonus is resting on…). This highlights the need to be aware of, and manage, issues related to competing individual and organizational priorities.
Something else to think about is that policies and processes will never cover all of the potential risk decisions our employees face. As a result, it’s critical that education and awareness efforts go beyond regurgitating policy, and include information that helps employees understand risk and the organization’s risk tolerance so that they can make good judgment calls. This better understanding also helps them tolerate those policies they otherwise chafe at.
Things to consider
The simple fact is, security leadership will never know as much about the business-related elements at the top of the illustration, and business management will never know as much about the risk elements at the bottom. Consequently, if security is empowered to make the major decisions, then they need to spend the time and effort to learn as much as they can about the business-related elements. On the other hand, if business leadership is making the major risk decisions, then security must provide clear, unbiased, and useful information so that the decisions are well informed.
(For those who are curious, I strongly prefer that business management make the major risk decisions where I work. I’m far more comfortable in my ability to provide them with good risk information and mitigation options than I am in my ability to sufficiently learn and understand the complex business landscape. Besides, when they’re the ones who have made the decisions, pushback and arguments are largely eliminated. I’ve also found that you have far more influence as a trusted advisor than as a combatant.)
A decision-maker will to some degree ALWAYS apply his or her own personal risk tolerance to a decision. Consequently, if security leadership has been empowered to make major risk decisions, they should try very hard to be as aware as possible of business management’s risk tolerances. If security leadership isn’t careful on this, then they will, invariably, run into issues where business management doesn’t support security’s decisions. And if the misalignment is bad enough (and I’ve both witnessed this and come close to having it happen to me – long ago) then it can become a “terminal” condition. At the very least it makes the waters far choppier than necessary.
I make it a point to review the risk decision question (and now the diagram) with business management whenever I take a new job or have a new business leader join the organization I work for, even if I’m pretty confident about where they stand. When I’ve had these conversations it’s always generated very productive dialog and has strengthened the relationship.
Note: This posting will soon be reproduced as a white paper and/or PowerPoint on the RMI website.
shrdlu Jul 9
Jack, might I suggest one more input? Feedback — that is, metrics that measure the effects of the risk management decisions. I would recommend putting this in the SME area, especially if it involves taking metrics on a technical level. SMEs need to communicate to the business leaders how well their expectations and decisions panned out, since naturally they will want to revisit those decisions on a periodic basis (right? … right? :-).
Chris Hayes Jul 9
Hi Jack. Very well written and very easy to understand. I look forward to the white paper. Any particular reason why you excluded most of the “traditional” FAIR factoring diagram underneath the RISK element – particularly LEF and PLM?
Christofer Hoff Jul 9
Jesus, my head hurts!
Great post, Jack.
I have a couple of stupid questions, however.
How would you represent time as a continuum affecting this process? Or would you at all?
Interestingly, as you went so far as to include the fact that a “…decision-maker will to some degree ALWAYS apply his or her own personal risk tolerance to a decision” how might you (if at all) attach weight to any of these elements? The very definition of “risk” is also interesting.
Am I reading too much into this?
/Hoff
Jack Jul 9
@shrdlu - Great feedback! Thanks. You’re absolutely correct about the importance of keeping management informed of the results. I guess I’d included that (in my own mind) in the feedback loop between “Policies, Priorities, Initiatives & Actions” and “Business Condition” (#7 in the list). I sure wasn’t explicit though.
@Chris (Hayes) - Good question, and one I debated with myself quite a bit. Actually, I could have drilled deeper in many of the elements but wanted to keep this at a level of abstraction that made it useful and yet not too “heavy”. Was afraid that if I drilled into the FAIR taxonomy it wouldn’t be meaningful (and might be confusing) to folks who aren’t familiar with it.
@Chris (Hoff) - Sorry about the headache…;-) Glad you liked the post though. Your question about time is interesting and decidedly not stupid. It’s also not something I had thought about. Off the top of my head I’d assume that the time continuum would be dependent on, at least, the nature of the decision (e.g., a week-long strategic planning session versus an incident response firefight). There may be more to it than that. Have to chew on that awhile…
As for “weighting” elements - thanks for asking! (I can just imagine Alex cringing in anticipation of my response…) My off-the-cuff answer is that I wouldn’t use weights. In fact (as Alex will be quick to tell you) I refuse to weigh factors in any analysis method I develop/use because I feel it’s a “cheat” used to compensate for a lack of understanding of what’s really driving a result/outcome. It’s probably not always a reasonable position to take (absolute understanding being unattainable), but I try real hard to operate as close to there as I can reasonably get.
Regarding “risk” - I’m always quick to encourage folks to read the FAIR introduction white paper (or at least the first half or so) to find a more complete (and useful) definition. I’ll post an abbreviated version on the blog sometime if there’s interest.
Rob Wettling Jul 10
Jack, thanks for telling me about the blog. You’re right; there is only so much info to include and keep a person’s interest. Now I need to go back and read the FAIT white paper!
John O’Leary Jul 10
Jack,
This is excellent.
Clear, logical, carefully delineated. It’s easy to follow the flow and see how the thinking behind it works as the model handles the addition of increasing layers of real-world complexity.
I have only one additional comment, and it refers way back to the first element in the model. In my experience, I’ve often seen policies, priorities, initiatives, even the values espoused by management drive risk decisions as much as risk decisions drive policies and initiatives. This in no way limits the value of the model.
Very nicely done.
Katiso Jul 11
Hi Jack
I’m in the process of finalising a discussion document (for my organisation’s purposes)regarding the clear delineation of roles and responsibilities in my organisation’s enterprise-wide risk management process. I’ve found time and again that the various stakeholders (i.e.”technical experts”,”business management”)fail to distinguish between the analysis (risk identification, risk assessment) and decision making aspects (prioritisation,mitigation etc) of the risk management process and this most of the times leads to jurisdictional confusion and turfwars. I find your insights quite useful and very illuminating.
Best regards,
Jack Jul 12
Thanks to all for your excellent feedback and observations (both online and offline). I’ll be certain to update the white paper accordingly.